General

  • Target

    BlockTheSpot-master.zip

  • Size

    388KB

  • Sample

    240520-cdme5aec78

  • MD5

    8cfb954c488f2b63156fb9a4a52020d6

  • SHA1

    786cf7adf8bdae4cb54ce17a84eccd5aa9aabde0

  • SHA256

    0fd57864cb820027ecddf4395633514ea6472f775cce6be99c95007b7410e1af

  • SHA512

    08e3ef3a5bbaadbd344d46e066f767043b8dc279aa1177b3036bd4a27f9bf94913925baebc90e5ad4eab6ef9aa4471efa23d61aa4f7e143f409dd5ec30a50b20

  • SSDEEP

    6144:ML7/9lE/6ACwBQSKORf2PzdJ2ehbPuew+Aalb6qNKCF0eZR3Xc/:kxa/6AlQSKnhw4c+3lb2CzfXM

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe

Targets

    • Target

      BlockTheSpot-master/downgrade.bat

    • Size

      359KB

    • MD5

      e1c1b01bc33b17f01a3bdd84cceb459f

    • SHA1

      1d1bdf948117c05b745ea3a3a137cda065939eaf

    • SHA256

      e5ac829a0e6c75478d868d925663b1db9aa7d0e316ac53634766ef33c8f763c2

    • SHA512

      e4690bbcc9a9bba03bd8f8d7dd8e68e796399208d9923043dedfd636bffc5a30992b646f9b780c89e71ab2906d05d2294b525cffabab663e60d5456ce7ec9c27

    • SSDEEP

      3072:AvNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:AvU290mOghlt7lsKzbrFguPt1

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Target

      BlockTheSpot-master/install.bat

    • Size

      358KB

    • MD5

      2080fc685222b511643d34d9b1c7f8cb

    • SHA1

      b11c4e930560c9f18501ad6fe2aff522328a6ecc

    • SHA256

      ed08d3ed985d243d4c9c7924cf8766e090da631afca621fe5a7ca0a9c1936505

    • SHA512

      7e09fd478ff3e8cb2b0be9affddc86fbc44d311bc7dc9c378b5cfadd302ba64361f7db35f86cc6fccad5dfe12f4914b90376a235c56461dc3d96900bad7825f2

    • SSDEEP

      3072:kvNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:kvU290mOghlt7lsKzbrFguPt1

    Score
    1/10
    • Target

      BlockTheSpot-master/netutils.dll

    • Size

      357KB

    • MD5

      301efd794940d799a9b67575ddf9e414

    • SHA1

      175465fc68f8b3e419342eeeb2b478c6649513a4

    • SHA256

      f1f024d75051dc703e7f176647d10c73a3f3e936d2f336b0083fab4511d62401

    • SHA512

      b662b367c7af9af7aa1043256438625c57962d12b8b2b711363ec172f556b445b399a51e10afbb463156b6f6dc9e3a58602c4848ac68b4552a091f47c055599c

    • SSDEEP

      3072:ovNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:ovU290mOghlt7lsKzbrFguPt1

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks